• We’re currently investigating an issue related to the forum theme and styling that is impacting page layout and visual formatting. The problem has been identified, and we are actively working on a resolution. There is no impact to user data or functionality, this is strictly a front-end display issue. We’ll post an update once the fix has been deployed. Thanks for your patience while we get this sorted.

Add/Remove Programs option disabled due to Adware or Spyware...

J

JerkyMyTurky

Junior Member
Add/Remove Programs option disabled due to Adware or Spyware. The problem is I can't access the Add/Remove Programs option, each time I click on the icon, it fails to do anything. There is no error message, but at the same time, no access is granted with that icon, so I can't uninstall programs.

The reason I know it is due to the Adware or Spyware is because I had recently opened an .exe program and it installed a ton of Adware/Spyware programs onto my system. I usually never get pop ups and after opening this file, I started to get pop ups. The Add/Remove Programs worked for maybe 45 minutes, while I uninstalled some of the newly installed programs (GAIN, Bargain Buddy, Webrebates, etc.), but it eventually stopped giving me access. I ran Ad-Aware and Spybot S&D that got most of the programs out of my system. Although I still receieved pop ups. My main concern is not the Adware and Spyware and removing them, I only mention them because I believe they were the cause for the Add/Remove Programs option being disabled and this may help in figuring out how to re-enable that option.

Any and all help is greatly appreciated.
 
BargainBuddy is not very easy to remove. I can give you a tip to start with: see if you can get into Services, and stop and disable the WinTools for IE service as seen on this list from another BargainBuddy victim. If you're not familiar with Services, it's in Control Panel > Performance & Maintenance (on a WinXP system) > Administrative Tools. If you see any other services in there that are obviously related to your malware, stop and disable them too. Once you've got that done, check back here.

Bigger picture: if you've contemplated a fresh installation of Windows, here's your chance to re-do it and really set it up tight this time. If you want to do that, I have suggestions for both initial setup and ongoing prevention of future malware here. If you follow all of the suggestions under the Ongoing prevention section, and avoid questionable .exe's and stuff in the future, you should be sitting pretty.

I know people are not used to my suggestion of using a Limited-class account on their own computer, but it's like a seatbelt that keeps you safely inside the passenger compartment if your car rolls over at speed. In combination with the other measures, it's very effective as a deterrent to unwanted software, unless you let the demons out of the box yourself like you evidently did this time.
 
I believe I got rid of most of the Adware and Spyware with Ad-aware and Spybot Search & Destroy.

I just need to know how I can re-enable my Add/Remove Programs option in the Control Panel.
 
If you got rid of the spyware, you wouldn't be getting spammed with popups. Look in Task Manager and I bet bargains.exe is merrily flyin' along as usual, am I right? It reinstalls itself.

Anyway. What version of Windows do you have there?
 
See if you can start the Add/Remove Programs with this command: Start > Run > appwiz.cpl. If it fails, does an error message appear, and what is it exactly?
 
An error has occurred in the script on this page.

Line: 21
Char: 1
Error: Object doesn't support this property or method
Code: 0
URL: res://sp3res.dll/default.hta

Do you want to continue running scripts on this page?

Yes/No

After clicking yes or no, I get this message...

An unexpected error occured.

Object doesn't support this property or method
res://sp3res.dll/default.hta
Line: 21

OK
 
Do this then, assuming your browser still browses:

1) Make a folder C:\HJT on your hard drive.

2) Download Hijack This (a Zip file containing hijackthis.exe) into that C:\HJT folder. Also download Winsockfix for Windows 2000 (props to DetroitSportsFan for this).

3) Extract hijackthis.exe from the Zip file and run it. Run a scan and click the Save log button.

4) Paste the contents of the logfile in a post in this thread for analysis and recommended course of action.

5) Run that Winsockfix thingie too.


It is time to check your coverage on the following stuff:
  • Firewall. You got a hardware and/or software firewall going, right?
  • Antivirus. What antivirus are you using, and is it up-to-date?
  • Windows patching. You got Service Pack 4 and the ~53 (yes really) other post-SP4 patches for Windows/IE/WinMediaPlayer/MSXML/MDAC?
  • Strong passwords on Administrator-class or Power-User-class accounts. Run Microsoft Baseline Security Analyzer if you need an easy way to check: MBSA Leave these blank or weak, it's like leaving your car unlocked with the keys in the ignition.
 
This is a screenshot of the scan...
http://img75.exs.cx/my.php?loc...&image=scan123.jpg
http://img75.exs.cx/img75/8131/scan123.jpg

I also ran the Winsockfix for Windows 2000.

I am behind a Linksys router, so I believe that serves as a Firewall for me.
I am using Nortan Anti-Virus 2005, which is up-to-date.
I don't believe I have Service Pack 4 or the ~53 or any other patches. How do I check?
I dont know about passwords on Administrator-class or Power-User-class accounts either.
 
Good, you have a firewall and current antivirus 😎 Can you make sure Norton is up-to-date by running Live Update, and if you didn't already, go through all its panels and max out the detection options, including spyware/adware and heuristics and scanning within compressed files.

To get your Windows version, go Start > Run winver. Should say if it has a Service Pack or not, like this. IE6 with Service Pack 1 is the latest baseline IE for Win2000 Pro. To get your Internet Explorer version, start IE and click Help > About Internet Explorer.

To get Service Pack 4, IE6SP1, and the other stuff, visit Windows Update. Keep going back until you come up clean, it could take four visits if you have to get SP4, then IE6SP1, then DirectX 9.0C, and so on. Afterwards, run that Microsoft Baseline Security Analyzer and it'll tell you what patches you still need and where to get them.

To get to your account passwords, open Control Panel > Users and Passwords and you'll see one like this (note that I have a Restricted User account named mechBgon that I use for daily usage, besides the built-in Administrator and Guest accounts). Now click the Advanced button on the Advanced tab, and another panel opens, like shown here, go into the Users folder, and right-click each user and give it a strong password, something not dictionary-based and with a symbol in it, such as p1zza=🙂.

If you don't have password-based log-on when you start the computer, this won't change that, it simply strengthens the underlying passwords to prevent a back-door approach to your computer using its administrative shares.

As for the actual issue here, you have Browser Help Objects messing with your system. Can you post the actual text from your logfile, instead of a picture of the text, so it can be analyzed and a removal procedure suggested 🙂


edit: oops, FuseTalk borked my links, one moment...
 
This is the scan from hijackthis...

Logfile of HijackThis v1.98.2
Scan saved at 6:36:42 PM, on 12/1/2004
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINNT\system32\spoolsv.exe
C:\WINNT\System32\svchost.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
C:\WINNT\system32\nvsvc32.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\RUNDLL32.EXE
C:\Program Files\MusicMatch\MusicMatch Jukebox\mm_tray.exe
C:\Program Files\Winamp\winampa.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\documents and settings\administrator\local settings\temp\N6xnh.exe
C:\WINNT\mssetup.exe
C:\WINNT\system32\r?ndll32.exe
C:\WINNT\system32\wuauclt.exe
C:\WINNT\explorer.exe
C:\Program Files\Winamp\Winamp.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\AIM\aim.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Documents and Settings\Administrator\Desktop\HJT\HijackThis.exe

R3 - Default URLSearchHook is missing
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {4FAF392B-C734-5F98-D425-60557E817B18} - C:\WINNT\system32\dkfcu.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O2 - BHO: NTIECatcher Class - {C56CB6B0-0D96-11D6-8C65-B2868B609932} - C:\Program Files\Xi\NetTransport 2\NTIEHelper.dll
O2 - BHO: Helper Class - {D80C4E21-C346-4E21-8E64-20746AA20AEB} - C:\Program Files\NavExcel Search Toolbar\NavExcelBar.dll
O2 - BHO: Search Help - {E8EAEB34-F7B5-4C55-87FF-720FAF53D841} - C:\Documents and Settings\Administrator\Local Settings\Temp\5qGy4.dll
O3 - Toolbar: @msdxmLC.dll,-1@1033,&Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
O3 - Toolbar: NavExcel Toolbar - {5AA06644-BC46-4220-A460-47A6EB47C96D} - C:\Program Files\NavExcel Search Toolbar\NavExcelBar.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINNT\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINNT\System32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [MMTray] C:\Program Files\MusicMatch\MusicMatch Jukebox\mm_tray.exe
O4 - HKLM\..\Run: [WinampAgent] C:\Program Files\Winamp\winampa.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [SSC_UserPrompt] C:\Program Files\Common Files\Symantec Shared\Security Center\UsrPrmpt.exe
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe
O4 - HKLM\..\Run: [pV1ZY.exe] C:\documents and settings\administrator\local settings\temp\pV1ZY.exe
O4 - HKLM\..\Run: [N6xnh.exe] C:\documents and settings\administrator\local settings\temp\N6xnh.exe
O4 - HKLM\..\Run: [57846d15c54a] C:\WINNT\system32\comaddin.exe
O4 - HKCU\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINNT\system32\NVMCTRAY.DLL,NvTaskbarInit
O4 - HKCU\..\Run: [Clock] C:\WINNT\msswchx.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O8 - Extra context menu item: Download all by Net Transport - C:\Program Files\Xi\NetTransport 2\NTAddList.html
O8 - Extra context menu item: Download by Net Transport - C:\Program Files\Xi\NetTransport 2\NTAddLink.html
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O16 - DPF: Yahoo! Spades - http://download.games.yahoo.co...es/clients/y/st2_x.cab
O16 - DPF: {FA3662C3-B8E8-11D6-A667-0010B556D978} (IWinAmpActiveX Class) - http://cdn.digitalcity.com/_media/dalaillama/ampx.cab

When I do the winver, I get this...

About Windows
Microsoft (R) Windows
Version 5.0 (Build 2195: Service Pack 4)
Copyright (C) 1981-1999 Microsoft Corp.

This product is licensed to:
JMT

Physical memory available to Widnows: 523,056 KB

It's nearly identical to yours.

I haven't run Windows Updates in awhile and there a few updates I have to run and I am about to that after I make this post.
 
Super. I am going to try to follow the lead of others here (and they know who they are 🙂) and advise what to fix. First, however, did you go through your Windows Services looking for stuff that seems related to the malware? Stop and disable anything you're sure belongs to the malware.

Ok, here we go:

1) update your Norton definitions with LiveUpdate, another new definition set came out today

2) go back to Windows Update again, they released their monthly IE patch mid-today

3) do a full system scan with Norton, making sure it's scanning within compressed files, using maximum heuristics, no exceptions. If it finds anything, note what it found and report that.

4) set strong passwords on your user accounts to close the door on that method of exploitation

5) go to Control Panel > Folder Options and enable viewing of hidden & system folders AND protected operating-system folders

6) reboot into Safe Mode and run HJT again. Fix the following stuff:
  • R3 - Default URLSearchHook is missing
  • O2 - BHO: (no name) - {4FAF392B-C734-5F98-D425-60557E817B18} - C:\WINNT\system32\dkfcu.dll
  • O2 - BHO: Helper Class - {D80C4E21-C346-4E21-8E64-20746AA20AEB} - C:\Program Files\NavExcel Search Toolbar\NavExcelBar.dll
  • O2 - BHO: Search Help - {E8EAEB34-F7B5-4C55-87FF-720FAF53D841} - C:\Documents and Settings\Administrator\Local Settings\Temp\5qGy4.dll
  • O3 - Toolbar: NavExcel Toolbar - {5AA06644-BC46-4220-A460-47A6EB47C96D} - C:\Program Files\NavExcel Search Toolbar\NavExcelBar.dll
  • O4 - HKLM\..\Run: [pV1ZY.exe] C:\documents and settings\administrator\local settings\temp\pV1ZY.exe
  • O4 - HKLM\..\Run: [N6xnh.exe] C:\documents and settings\administrator\local settings\temp\N6xnh.exe
  • O4 - HKLM\..\Run: [57846d15c54a] C:\WINNT\system32\comaddin.exe
  • O16 - DPF: {FA3662C3-B8E8-11D6-A667-0010B556D978} (IWinAmpActiveX Class) - http://cdn.digitalcity.com/_media/dalaillama/ampx.cab
7) Delete the following folders and files from the hard drive:
  • C:\Program Files\NavExcel Search Toolbar (folder)
  • C:\Documents and Settings\Administrator\Local Settings\Temp (folder, you must do step #5 for this to be visible. It will be re-created by Windows when it's needed again).
  • C:\WINNT\mssetup.exe (file)
  • C:\WINNT\system32\r?ndll32.exe (file)
8) After all of that, I believe you're supposed to run your Winsock fix again

9) Reboot into Win2000 normally and run another HJT log and post it here again to see where you're at, and see if you can get into Add/Remove Programs now.


Good luck! 🙂
 
1) I updated my Norton definitions with LiveUpdate.

2) I have updated all the Windows Updates.

3) I did a search with the updated virus definitions and it found 2 Adware related files and I had them removed. I do not remember the filenames.

6) I fixed each of those, although one of the 02 - BHO was no longer on the list.

7) I deleted the first two, the second two files were not available for deletion.

9) Here is the new log...

Logfile of HijackThis v1.98.2
Scan saved at 2:13:44 AM, on 12/6/2004
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINNT\system32\spoolsv.exe
C:\WINNT\System32\svchost.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
C:\WINNT\system32\nvsvc32.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\Explorer.EXE
C:\WINNT\system32\RUNDLL32.EXE
C:\Program Files\MusicMatch\MusicMatch Jukebox\mm_tray.exe
C:\Program Files\Winamp\winampa.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\WINNT\sptsupd.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\WINNT\system32\wuauclt.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Documents and Settings\Administrator\Desktop\HJT\HijackThis.exe

O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O2 - BHO: NTIECatcher Class - {C56CB6B0-0D96-11D6-8C65-B2868B609932} - C:\Program Files\Xi\NetTransport 2\NTIEHelper.dll
O3 - Toolbar: @msdxmLC.dll,-1@1033,&Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINNT\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINNT\System32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [MMTray] C:\Program Files\MusicMatch\MusicMatch Jukebox\mm_tray.exe
O4 - HKLM\..\Run: [WinampAgent] C:\Program Files\Winamp\winampa.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [SSC_UserPrompt] C:\Program Files\Common Files\Symantec Shared\Security Center\UsrPrmpt.exe
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe
O4 - HKCU\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINNT\system32\NVMCTRAY.DLL,NvTaskbarInit
O4 - HKCU\..\Run: [Clock] C:\WINNT\mstask.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O8 - Extra context menu item: Download all by Net Transport - C:\Program Files\Xi\NetTransport 2\NTAddList.html
O8 - Extra context menu item: Download by Net Transport - C:\Program Files\Xi\NetTransport 2\NTAddLink.html
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O16 - DPF: Yahoo! Spades - http://download.games.yahoo.co...es/clients/y/st2_x.cab

When I try to run the Add/Remove Programs option, the same script error comes up.
 
Start up in Safe Mode again, run HJT and fix O4 - HKCU\..\Run: [Clock] C:\WINNT\mstask.exe. I'm suspicious of that O2 - BHO: NTIECatcher Class too, although I missed it before. 🙁

Could you look in the Norton 2005 Reports section and tell me the names and locations of those two detected files, and scan that same directory again? I'm wondering if they're coming back.

Also, would you be able to do this for me: go to Control Panel > Administrative Tools > Services, and click the Status header 'til all the Started services are on top, and slide open the names and descriptions a fair amount, then post a pic of it: example from my system

 
Ooops, I must be getting tired, I missed a couple more bits of that NetTransport 2 thing 🙁 So we got these to fix:

O2 - BHO: NTIECatcher Class - {C56CB6B0-0D96-11D6-8C65-B2868B609932} - C:\Program Files\Xi\NetTransport 2\NTIEHelper.dll

O4 - HKCU\..\Run: [Clock] C:\WINNT\mstask.exe

O8 - Extra context menu item: Download all by Net Transport - C:\Program Files\Xi\NetTransport 2\NTAddList.html

O8 - Extra context menu item: Download by Net Transport - C:\Program Files\Xi\NetTransport 2\NTAddLink.html
 
02 - BHO: NTIECatcher Class - {C56CB6B0-0D96-11D6-8C65-B2868B609932} - C:\Program Files\Xi\NetTransport 2\NTIEHelper.dll

The above is a program I installed myself and use quite frequently. I had it for awhile before this problem occured. Is it still necessary to run a fix with hijackthis on this? I don't want to effect the use of the program.

Here is a screenshot of the Norton Reports section. Although, I don't see those 2 specific Adware files on the list. I ran the Norton System Scan today and the files on that list are from a scan I did on the 30th, so I'm assuming the two files in question have been completed removed. The screenshot... http://img15.exs.cx/my.php?loc...mage=h5wvirusfiles.jpg

Here is the screenshot of my services list...
http://img15.exs.cx/my.php?loc...;image=i2kservices.jpg
 
If that NetTransport is your own, then my bad, go ahead and keep it as far as I'm concerned. It just seemed like exactly the type of name that you'd expect from Bad Things.

I don't see any out-of-place services running on the Services list, so that's good news 🙂 and if the spyware files are not coming back, that's good news too. I thought Norton had a more of a text-based Reports section, but I'm basing that on my parents' Norton 2004, not 2005, so maybe I'm wrong.

So it appears that you've got your system clean but the stupid Win2000 Control Panel still won't work. The only idea I could suggest from here would be a Repair-install of Win2000, followed by re-patching the whole thing to SP4 and all subsequent patches. That's done by running Win2000 Setup from CD, but refusing the first Repair offer. Then you go on to where it shows the disk partitions, and it'll see that C:\WINNT contains a Windows installation and it'll offer to repair that. Now you say "repair" and it goes through the motions of installing Windows, except it (famous last words) retains all your data and programs. And then you patch it with Service Pack 4 and hit Windows Update, etc.

Sorry I've dragged you through all this and still not fixed the problem 🙁 If I get a chance tomorrow I'll try to find a better way to get the Control Panel working, but it's bedtime for now :moon:
 
Originally posted by: mechBgon
Super. I am going to try to follow the lead of others here (and they know who they are 🙂) and advise what to fix. First, however, did you go through your Windows Services looking for stuff that seems related to the malware? Stop and disable anything you're sure belongs to the malware.

Ok, here we go:

6) reboot into Safe Mode and run HJT again. Fix the following stuff:
  • R3 - Default URLSearchHook is missing
  • O2 - BHO: (no name) - {4FAF392B-C734-5F98-D425-60557E817B18} - C:\WINNT\system32\dkfcu.dll
  • O2 - BHO: Helper Class - {D80C4E21-C346-4E21-8E64-20746AA20AEB} - C:\Program Files\NavExcel Search Toolbar\NavExcelBar.dll
  • O2 - BHO: Search Help - {E8EAEB34-F7B5-4C55-87FF-720FAF53D841} - C:\Documents and Settings\Administrator\Local Settings\Temp\5qGy4.dll
  • O3 - Toolbar: NavExcel Toolbar - {5AA06644-BC46-4220-A460-47A6EB47C96D} - C:\Program Files\NavExcel Search Toolbar\NavExcelBar.dll
  • O4 - HKLM\..\Run: [pV1ZY.exe] C:\documents and settings\administrator\local settings\temp\pV1ZY.exe
  • O4 - HKLM\..\Run: [N6xnh.exe] C:\documents and settings\administrator\local settings\temp\N6xnh.exe
  • O4 - HKLM\..\Run: [57846d15c54a] C:\WINNT\system32\comaddin.exe
  • O16 - DPF: {FA3662C3-B8E8-11D6-A667-0010B556D978} (IWinAmpActiveX Class) - http://cdn.digitalcity.com/_media/dalaillama/ampx.cab

7) Delete the following folders and files from the hard drive:
  • C:\Program Files\NavExcel Search Toolbar (folder)
  • C:\Documents and Settings\Administrator\Local Settings\Temp (folder, you must do step #5 for this to be visible. It will be re-created by Windows when it's needed again).
  • C:\WINNT\mssetup.exe (file)
  • C:\WINNT\system32\r?ndll32.exe (file)
Click to expand...

02 - BHO: Helper Class.... Program Files/Nav Excel Search Toolbar

03 - Toobal: NavExcel Toolbar.... Program Files/ NavExcel Search Toolbar

NAV stands for Nortan Anti Virus, was it okay for me to delete these?

I deleted the NavExcel Search Toolbar (folder), but I don't think you knew it was a Nortan Anti Virus folder, should I retrieve this folder back from the Recycle Bin?






 
NavExcel isn't a Norton product, it's one of those &^%# search toolbars for IE. Let it stay gone.
 
Stop winamp, musicmatch jukebox (pos software if you ask me), and quicktime from starting up too. No need for that.
 
Any more ideas on how to fix this thing? I really don't want to have to reinstall my windows.

I ran a repair installation and everything is working properly again. I appreciate all the in depth and personal help. Thank you.
 
You must log in or register to reply here.

TRENDING THREADS

Back
Top